How to debug Security Hub checks failing in the CIS Reference Architecture?
A customer asked: > How do I debug Security Hub check that is failing for my CIS Reference Architecture?
[The Gruntwork CIS Reference Architecture](https://gruntwork.io/achieve-compliance/) implements a configuration that is compliant with [the CIS AWS Foundations Benchmark](https://www.cisecurity.org/benchmark/amazon_web_services/). If you need to debug why a particular Security Hub check is failing for your CIS Reference Architecture, start by opening [the official AWS whitepaper on the CIS Foundations Benchmark](https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf) and looking for the section that maps to the failing check. For example, let's say your `Ensure a log metric filter and alarm exist for unauthorized API calls` securityhub check is failing with `CLOUDTRAIL_METRIC_FILTER_NOT_VALID`. `Ensure a log metric filter and alarm exist for unauthorized API calls` is the relevant section in the whitepaper to review. Within that section is an **Audit** subheader, which lays out exactly how to perform the check manually, with a combination of AWS console tasks and AWS CLI calls. Perform the steps outlined in the Audit and take note of the exact command or step that fails or can't be completed successfully. This provides clues as to which of the CIS service catalog modules might have an issue. Please provide this information as feedback to Gruntwork when opening tickets or sending inquiries to support, as it will greatly assist us in narrowing down the problem. **Additional resources** - [AWS Security Hub Core Concepts ](https://gruntwork.io/repos/v0.3.0/cis-compliance-aws/modules/aws-securityhub/core-concepts.md)- Gruntwork guide detailing how the checks run, how they behave with cross-account architectures, etc. - [Official AWS Whitepaper on CIS Foundations Benchmark](https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)